Northwest Arkansas Democrat-Gazette
Equifax catching flak for response
NEW YORK — A day after credit-reporting company Equifax disclosed that “criminals” had stolen vital data of about 143 million Americans, it had somehow managed to leave much of the public in the dark about their exposure, how they should protect themselves and what Equifax planned to do for those affected.
The breach is unquestionably serious. It exposed crucial pieces of personal data that criminals could use to commit identity theft, from Social Security numbers and birth dates to address histories and legal names.
That data — the “crown jewels of personal information,” in the words of independent credit analyst John Ulzheimer — can’t be changed, and once it’s in circulation, it’s basically out there forever.
But Equifax’s response has satisfied almost no one.
Consumers complained of jammed phone lines and uninformed representatives. An Equifax website set up to help people determine their exposure looked like a scam to some, and provided inconsistent and unhelpful information to others. Congress planned hearings.
Anders Ohlsson, a 47-yearold technical manager in Scotts Valley, Calif., called a hotline multiple times and was disconnected; entered the last six digits of his Social Security number into Equifax’s emergency website; and finally spoke with a call center manager. He still doesn’t know whether his information has been compromised.
“I don’t think I’ve gotten hold of a person that actually cares,” he said. “Now they’re fumbling to tell people what’s going on. But they really don’t know what’s going on.”
Equifax plays a key role in the financial industry, making this breach more alarming than previous ones at Yahoo or retailers. The company is a storehouse of personal information, like how much people owe on their houses and whether they have court judgments against them.
Lenders rely on the information collected by three big credit bureaus — Equifax, TransUnion and Experian — to help them decide on financing for homes, cars and credit cards. Credit checks are sometimes done by employers when deciding whom to hire.
The strongest immediate option for protection involves placing a credit freeze on files with the major credit bureaus. That locks down personal information, making it impossible for outsiders to open new accounts and bank cards.
“The credit freeze is the nuclear option of credit protection,” said Matt Schulz, an analyst with CreditCards. com. “But in the wake of a breach this big, it’s worth considering.”
Information is available at the emergency Equifax website, https://www. equifax security2017. com/, and by calling (866) 447-7559. The company also says it will send mail to all who had personally identifiable information stolen.
Any data breach threatens to tarnish a company’s reputation, but Equifax hasn’t done much to minimize that damage.
Atlanta-based Equifax said Thursday that the breach took place between midMay and July of this year. It discovered the hack July 29, but waited until Thursday to warn consumers. Its communications with the public have so far been limited to official statements.
To Georgia Weidman, founder and chief technology officer for security firm Shevirah, the company’s emergency-information website looks a lot like the kind of site scammers would use to trick people into giving up passwords or other crucial information.
“It’s teaching people entirely the wrong things about using the Internet securely,” Weidman said. She said says she’s also troubled by Equifax’s approach to security generally, including reports that it didn’t respond to basic scripting bugs it was warned about last year.
Company officials are also under scrutiny. Three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators. Equifax said the three executives — one of them the company’s chief financial officer — didn’t know about the breach at the time of the sales, but didn’t answer further questions.
Washington regulators and politicians swiftly criticized Equifax, and Jeb Hensarling, chairman of the House Financial Services Committee, said he will call for congressional hearings.
An Equifax requirement that appeared to force affected customers into arbitration also drew a backlash. Democrats in the House and Senate called on the company to pull back from language that suggested anyone who signs up for credit monitoring also gives up their right to join a class-action lawsuit against Equifax.
New York Attorney General Eric Schneiderman said he was starting his own investigation.
Equifax released a statement Friday evening declaring that the arbitration requirement and class-action waiver will not apply to this particular breach. The company also said it had fixed problems with the emergency website and tripled its call center team to more than 2,000 agents.
Equifax shares fell about 13 percent to $123.75 in heavy trading. The decline equates to about $2.28 billion in lost market value.